Unbreak SECLEVEL 3 regression causing it to not accept any ciphers. (e37b7014) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/ssl_cert.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -951,8 +951,8 @@ static int ssl_security_default_callback(const SSL s, const SSL_CTX ctx,
		if (level >= 2 && c->algorithm_enc == SSL_RC4)
		return 0;
		/* Level 3: forward secure ciphersuites only */
		if (level >= 3 && (c->min_tls != TLS1_3_VERSION \|\|
		!(c->algorithm_mkey & (SSL_kEDH \| SSL_kEECDH))))
		if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
		!(c->algorithm_mkey & (SSL_kEDH \| SSL_kEECDH)))
		return 0;
		break;
		}

test/recipes/80-test_ssl_new.t

+1 −1

Original line number	Diff line number	Diff line
		@@ -28,7 +28,7 @@ map { s/\^// } @conf_files if $^O eq "VMS";

		# We hard-code the number of tests to double-check that the globbing above
		# finds all files as expected.
		plan tests => 27; # = scalar @conf_srcs
		plan tests => 28; # = scalar @conf_srcs

		# Some test results depend on the configuration of enabled protocols. We only
		# verify generated sources in the default configuration.

test/ssl-tests/28-seclevel.conf

0 → 100644

+102 −0

Original line number	Diff line number	Diff line
		# Generated with generate_ssl_tests.pl

		num_tests = 4

		test-0 = 0-SECLEVEL 3 with default key
		test-1 = 1-SECLEVEL 3 with ED448 key
		test-2 = 2-SECLEVEL 3 with ED448 key, TLSv1.2
		test-3 = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE
		# ===========================================================

		[0-SECLEVEL 3 with default key]
		ssl_conf = 0-SECLEVEL 3 with default key-ssl

		[0-SECLEVEL 3 with default key-ssl]
		server = 0-SECLEVEL 3 with default key-server
		client = 0-SECLEVEL 3 with default key-client

		[0-SECLEVEL 3 with default key-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
		CipherString = DEFAULT:@SECLEVEL=3
		PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

		[0-SECLEVEL 3 with default key-client]
		CipherString = DEFAULT
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-0]
		ExpectedResult = ServerFail


		# ===========================================================

		[1-SECLEVEL 3 with ED448 key]
		ssl_conf = 1-SECLEVEL 3 with ED448 key-ssl

		[1-SECLEVEL 3 with ED448 key-ssl]
		server = 1-SECLEVEL 3 with ED448 key-server
		client = 1-SECLEVEL 3 with ED448 key-client

		[1-SECLEVEL 3 with ED448 key-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
		CipherString = DEFAULT:@SECLEVEL=3
		PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem

		[1-SECLEVEL 3 with ED448 key-client]
		CipherString = DEFAULT
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-1]
		ExpectedResult = Success


		# ===========================================================

		[2-SECLEVEL 3 with ED448 key, TLSv1.2]
		ssl_conf = 2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl

		[2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
		server = 2-SECLEVEL 3 with ED448 key, TLSv1.2-server
		client = 2-SECLEVEL 3 with ED448 key, TLSv1.2-client

		[2-SECLEVEL 3 with ED448 key, TLSv1.2-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
		CipherString = DEFAULT:@SECLEVEL=3
		MaxProtocol = TLSv1.2
		PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem

		[2-SECLEVEL 3 with ED448 key, TLSv1.2-client]
		CipherString = DEFAULT
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-2]
		ExpectedResult = Success


		# ===========================================================

		[3-SECLEVEL 3 with P-384 key, X25519 ECDHE]
		ssl_conf = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl

		[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
		server = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
		client = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client

		[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
		CipherString = DEFAULT:@SECLEVEL=3
		Groups = X25519
		PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem

		[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
		CipherString = ECDHE:@SECLEVEL=3
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
		VerifyMode = Peer

		[test-3]
		ExpectedResult = Success

test/ssl-tests/28-seclevel.conf.in

0 → 100644

+48 −0

Original line number	Diff line number	Diff line
		# -- mode: perl; --
		# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
		#
		# Licensed under the OpenSSL license (the "License"). You may not use
		# this file except in compliance with the License. You can obtain a copy
		# in the file LICENSE in the source distribution or at
		# https://www.openssl.org/source/license.html


		## SSL test configurations

		package ssltests;

		our @tests = (
		{
		name => "SECLEVEL 3 with default key",
		server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },
		client => { },
		test => { "ExpectedResult" => "ServerFail" },
		},
		{
		name => "SECLEVEL 3 with ED448 key",
		server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
		"Certificate" => test_pem("server-ed448-cert.pem"),
		"PrivateKey" => test_pem("server-ed448-key.pem") },
		client => { },
		test => { "ExpectedResult" => "Success" },
		},
		{
		name => "SECLEVEL 3 with ED448 key, TLSv1.2",
		server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
		"Certificate" => test_pem("server-ed448-cert.pem"),
		"PrivateKey" => test_pem("server-ed448-key.pem"),
		"MaxProtocol" => "TLSv1.2" },
		client => { },
		test => { "ExpectedResult" => "Success" },
		},
		{
		name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
		server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
		"Certificate" => test_pem("p384-server-cert.pem"),
		"PrivateKey" => test_pem("p384-server-key.pem"),
		"Groups" => "X25519" },
		client => { "CipherString" => "ECDHE:\@SECLEVEL=3",
		"VerifyCAFile" => test_pem("p384-root.pem") },
		test => { "ExpectedResult" => "Success" },
		},
		);